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Critical  Infrastructure:  Control  Systems  and  the  Terrorist 

Threat 


Summary 

Much  of  the  U.S.  critical  infrastructure  is  potentially  vulnerable  to  cyber-attack. 
Industrial  control  computer  systems  involved  in  this  infrastructure  are  specific  points 
of  vulnerability,  as  cyber-security  for  these  systems  has  not  been  previously  perceived 
as  a  high  priority.  Industry  sectors  potentially  affected  by  a  cyber-attack  on  process 
control  systems  include  the  electrical,  telephone,  water,  chemical,  and  energy  sectors. 

The  federal  government  has  issued  warnings  regarding  increases  in  terrorist 
interest  in  the  cyber- security  of  industrial  control  systems,  citing  international 
terrorist  organization  interest  in  critical  infrastructure  and  increases  in  cyber-attacks 
on  critical  infrastructure  computer  systems.  The  potential  consequences  of  a 
successful  cyber-attack  on  critical  infrastructure  industrial  control  systems  could  be 
high  and  range  from  a  temporary  loss  of  service  to  catastrophic  infrastructure  failure 
affecting  multiple  states  for  an  extended  duration. 

The  National  Strategy  for  Securing  Cyberspace ,  released  in  February  2003, 
contains  a  number  of  suggestions  regarding  security  measures  for  control  systems. 
A  focus  on  the  further  integration  of  public/private  partnerships  and  information 
sharing  is  described,  along  with  suggestions  that  standards  for  securing  control 
systems  be  developed  and  implemented. 

The  Homeland  Security  Act  of  2002  (P.L.  107-296)  conglomerated  several 
federal  entities  that  play  a  role  in  cyber-security  of  control  systems  into  the 
Department  of  Homeland  Security.  These  entities  include  the  Critical  Infrastructure 
Assurance  Office,  the  National  Infrastructure  Protection  Center,  the  National 
Infrastructure  Simulation  and  Analysis  Center,  and  parts  of  the  Department  of 
Energy’s  Office  of  Energy  Assurance.  Additionally,  the  Homeland  Security  Act  of 
2002  created  a  new  class  of  information,  critical  infrastructure  information,  which 
can  be  withheld  from  the  public  by  the  federal  government. 

Research  and  other  efforts  into  increasing  the  cyber- security  of  control  systems 
occurs  both  at  federal  government  facilities  and  through  industry  groups  in  critical 
infrastructure  sectors.  The  Department  of  Energy  National  Laboratories,  the 
Department  of  Defense,  and  the  National  Institute  of  Standards  and  Technology  all 
have  programs  to  assess  and  ameliorate  the  cyber-vulnerabilities  of  control  systems. 
Industry-based  research  into  standards,  best  practices,  and  control  system  encryption 
is  ongoing  in  the  natural  gas  and  electricity  sector. 

Possible  policy  options  for  congressional  consideration  include  further 
development  of  uniform  standards  for  infrastructure  cyber-protection;  growth  in 
research  into  security  methods  for  industrial  control  systems;  assessing  the 
effectiveness  of  the  new  exemptions  to  the  Freedom  of  Information  Act;  and  the 
integration  of  previous  offices  in  the  new  Department  of  Homeland  Security. 


This  report  will  be  updated  as  events  warrant. 
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Critical  Infrastructure:  Control  Systems  and 
the  Terrorist  Threat 

Introduction 

This  report  addresses  the  cyber-vulnerability  of  critical  infrastructure  industries 
which  regularly  use  industrial  control  systems.  Industrial  control  systems  may  be 
vulnerable  to  infiltration  by  different  routes,  including  wireless  transmission,  direct 
access  to  control  system  computers,  exploitation  of  dial-up  modems  used  for 
maintenance,  or  through  the  Internet.  This  report  will  specifically  discuss  the 
potential  for  access  to  industrial  control  systems  through  the  Internet. 

The  vulnerability  of  U.S.  critical  infrastructure  to  cyber- attack  and  catastrophic 
failure  was  brought  to  light  in  1997  in  the  report  of  the  President’s  Commission  on 
Critical  Infrastructure  Protection.1  Among  other  concerns,  the  computer  systems 
used  to  remotely  control  process  equipment  were  highlighted  as  specific  points  of 
vulnerability.  These  systems  were  updated  during  the  Y2K  crisis,  but  their  cyber¬ 
security  has  not  generally  been  a  high  priority.  The  events  of  September  11,  2001 
have  heightened  the  public  awareness  of  the  nation’s  vulnerability  to  terrorist  attack, 
and  a  National  Research  Council  report  has  identified  “the  potential  for  attack  on 
control  systems”  as  requiring  “urgent  attention.”2 

Critical  infrastructure  is  defined  in  the  USA  PATRIOT  Act  as  those  “systems 
and  assets,  whether  physical  or  virtual,  so  vital  to  the  United  States  that  the 
incapacity  or  destruction  of  such  systems  and  assets  would  have  a  debilitating  impact 
on  security,  national  economic  security,  national  public  health  or  safety,  or  any 
combination  of  those  matters.”3  Several  industry  sectors  considered  to  be  critical 
infrastructures  use  industrial  control  systems  in  their  daily  activities.  These 
industries  could  be  significantly  affected  by  a  cyber- attack  targeting  industrial  control 
systems  such  as  supervisory  control  and  data  acquisition  (SC  AD  A)  systems, 
distributed  control  systems,  and  others.  The  President’s  Commission  on  Critical 
Infrastructure  Protection  report  stated, 

From  the  cyber  perspective,  SCADA  systems  offer  some  of  the  most  attractive 
targets  to  disgruntled  insiders  and  saboteurs  intent  on  triggering  a  catastrophic 
event.  With  the  exponential  growth  of  information  system  networks  that 
interconnect  the  business,  administrative,  and  operational  systems,  significant 


1  Presidential  Commission  on  Critical  Infrastructure  Protection,  Critical  Foundations: 
Protecting  America ’s  Infrastructures,  October,  1997. 

2  National  Research  Council,  Making  the  Nation  Safer:  The  Role  of  Science  and  Technology 
in  Countering  Terrorism,  June,  2002. 

3  Uniting  and  Strengthening  America  by  Providing  Appropriate  Tools  Required  to  Intercept 
and  Obstruct  Terrorism  (USA  PATRIOT)  Act,  P.L.  107-56,  Title  X,  Section  1016. 
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disruption  would  result  if  an  intruder  were  able  to  access  a  SCADA  system  and 
modify  the  data  used  for  operational  decisions,  or  modify  programs  that  control 
critical  industry  equipment  or  the  data  reported  to  control  centers.4 

Current  Industrial  Control  System  Vulnerability 

The  most  commonly  discussed  industrial  control  systems  include  supervisory 
control  and  data  acquisition  (SCADA)  systems  and  distributed  control  systems 
(DCS).5  SCADA  systems  are  often  used  for  remote  monitoring  over  a  large 
geographic  area  and  transmitting  commands  to  remote  assets,  such  as  valves  and 
switches.  For  example,  they  can  be  found  in  water  utilities  and  oil  pipelines,  where 
they  monitor  flow  rates  and  pressures.  Based  on  the  data  that  these  systems  provide, 
computer  programs  or  operators  at  a  central  control  center  balance  the  flow  of 
material.  Generally,  SCADA  systems  process  little  data  internally,  instead 
performing  analysis  in  a  more  central  location,  but  are  the  primary  conduits  for  raw 
data  to  and  commands  from  a  control  center.  They  may  be  vulnerable  to 
implantation  of  faulty  data  and  to  remote  access  through  dial-up  modems  used  for 
maintenance. 

Distributed  control  systems  are  process  control  systems,  commonly  deployed 
in  a  single  manufacturing  or  production  complex,  characterized  by  a  network  of 
computers.  DCS  generally  provide  processed  information  to  or  a  series  of 
commands.  For  example,  at  a  chemical  plant,  a  DCS  might  simultaneously  monitor 
the  temperature  of  a  series  of  reactors  and  control  the  rate  at  which  reactants  are 
mixed  together,  while  performing  real  time  process  optimization  and  reporting  the 
progress  of  the  reaction.  An  attack  targeting  DCS  might  cause  extensive  damage  at 
a  single  facility,  but  might  not  affect  more  than  the  single  site. 

These  process  control  systems  can  be  interconnected  within  a  single  industry  as 
well.  This  might  be  the  case  in  an  infrastructure  which  both  transports  and  processes 
material.  As  an  example,  the  oil  and  gas  infrastructures  contain  both  processing  and 
refining  sites,  as  well  as  holding  facilities  and  distribution  systems.  Refining  and 
processing  sites  may  utilize  DCS  in  discrete  locations.  The  distribution  and  holding 
facilities  might  be  managed  by  a  SCADA  system  which  collected  data  from  and 
issued  commands  to  different  geographic  sites  from  a  single  location.6 


4  Presidential  Commission  on  Critical  Infrastructure  Protection,  Critical  Foundations: 
Protecting  America 's  Infrastructures,  October,  1997. 

5  For  a  simple  overview  of  control  system  types,  see  Micrologic  Systems,  “SCADA  Primer,” 
found  online  at  [http://www.micrologic-systems.com/primers/scada.htm],  or  Dan  Capano, 
“Distributed  Control  Systems  Primer,”  Waterandwastewater.com,  (2002),  found  online  at 
[http://www.waterandwastewater.com/www_services/ask_dan_archive/toc.htm].  Other 
types  of  control  systems,  such  as  programmable  logic  controllers,  exist,  but  are  not  explicitly 
discussed  here. 

6  This  example  was  taken  from  “IT  Security  for  Industrial  Control  Systems”  by  Joe  Falco, 
Keith  Stouffer,  Albert  Wavering,  and  Frederick  Proctor,  Intelligent  Systems  Division, 
National  Institute  of  Standards  and  Technology,  available  online  at 
[http://www.isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf]. 
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Industrial  control  system  technologies  are  often  employed  in  critical 
infrastructure  industries  to  allow  a  single  control  center  to  manage  multiple  sites. 
Industrial  control  systems  were  originally  implemented  as  isolated,  separate 
networks.  They  were  viewed  as  secure  systems  which  protected  remote  locations 
from  being  physically  broken  into  and  mistreated.  For  example,  the  establishment 
of  remote  control  systems  in  dams  were  believed  to  protect  against  unlawful  release 
of  the  dammed  water,  as  no  hand-operable  valves  and  switches  were  accessible.7 

The  networking  of  industrial  control  systems  on  a  greater  scale  has  led  to 
increased  synergy  and  efficiency,  and,  due  to  market  needs,  real  time  information 
from  these  systems  is  increasingly  important  for  marketing  purposes.  Consequently, 
industrial  control  systems  are  becoming  linked  to  corporate  computer  systems, 
potentially  making  them  vulnerable  to  cyber-attack  through  the  Internet.  Original 
control  systems  were  designed  to  be  free  standing  networks  without  Internet  access. 
Therefore,  it  has  been  necessary  to  add  network  access  capabilities  to  these  legacy 
systems  to  integrate  them  into  the  corporate  structure.  This  has  created,  in  the  worst 
cases,  a  labyrinth  of  connections  which  is  perhaps  not  rigorously  constructed  for 
cyber-security  or  well  documented. 

Some  industrial  control  systems,  including  legacy  systems,  are  proprietary,  and 
contain  non-standard  architectures  and  command  syntax.  This  can  be  considered 
both  an  advantage  and  a  disadvantage.  Proprietary  systems  with  esoteric  command 
structures  are  often  non-intuitive,  and  could  be  difficult  to  operate  by  an  untrained 
individual.  Incorrect  commands  could  cause  no  results,  and  may  increase  the 
probability  that  the  intruder  would  be  noticed  and  removed  from  the  system. 
Additionally,  different  companies  may  have  different  command  sets,  even  if  they  are 
both  members  of  the  same  industry,  as  their  proprietary  systems  may  have 
significantly  different  structures.  Thus,  if  a  hacker  or  terrorist  successfully  attacks 
one  company,  that  experience  may  not  be  valuable  for  use  at  the  next  company. 
Others  assert  that  many  new  control  systems,  as  well  as  upgrades  to  legacy  systems, 
are  being  assembled  from  commercial,  off-the-shelf  equipment  and  software, 
providing  commonalities  across  different  industry  sectors.  By  adopting  such 
equipment  and  software,  vulnerabilities  that  are  identified  impact  all  sectors. 

The  degree  of  integration  between  control  system  networks  and  publicly 
accessible  networks  is  difficult  to  judge  from  the  open  literature.  This  makes 
assessment  of  the  vulnerability  of  critical  infrastructure  industries  from  Internet  based 
attack  difficult  to  know  with  certainty.8  Faced  with  an  unclear  risk,  it  may  be 
difficult,  from  an  industry  perspective,  to  justify  the  additional  costs  of  upgrading 


7  Scott  Berinato,  “The  Truth  about  Cyberterrorism,” CIO  Magazine,  Vol.  15,  No.  1 1 ,  March 
15,  2002. 

8  The  Department  of  Energy  and  the  Department  of  Defense  have  performed  vulnerability 
assessments,  through  “red  team”  exercises,  of  some  individual  stakeholders  in  critical 
infrastructure  industries.  (Barton  Gellman,  “Cyber-Attacks  by  A1  Qaeda  Feared:  Terrorists 
at  Threshold  of  Using  Internet  as  Tool  of  Bloodshed,  Experts  Say,”  Washington  Post,  June 
27,  2002)  These  detailed  results,  while  provided  to  the  individual  stakeholders,  are  not 
widely  available.  (Joe  Weiss,  KEMA  Consulting,  private  e-mail  communication,  September 
8,  2002) 
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privately-held  industrial  control  systems  to  higher  security  standards.9  Current  off- 
the-shelf  industrial  control  systems  have  been  designed  for  operational  speed  and 
functionality,  rather  than  for  secure  operation,  and  therefore  do  not  have  a  high 
degree  of  operational  security.10  Addition  of  security  requirements  can  degrade  the 
performance  of  these  components  below  operating  standards. 

Given  the  uncertain  vulnerability  level  and  the  systemic  weaknesses  involved 
in  current  off-the-shelf  technology,  there  is  little  market  incentive  to  directly  increase 
industrial  control  systems  security.  Therefore  the  security  systems  for  the  corporate 
network,  which  block  initial  intrusion  through  the  Internet,  may  be  the  sole  planned 
protection  for  the  industrial  control  systems. 

Security  analysts  also  contend  that  industrial  control  systems  are  less  obscure 
now  than.  Foreign  utility  companies  increasingly  use  current  off-the-shelf  industrial 
control  systems,  increasing  the  international  availability  of  systems  and  their 
documentation.  Due  to  the  similarity  between  these  systems  and  systems  installed 
domestically,  potential  terrorists  need  not  break  into  an  American  utility  to  test  their 
plans.11 

Some  security  analysts  believe  that  the  industrial  control  system  vulnerability 
should  be  addressed  before  potentially  catastrophic  events  occur,  and  that  techniques 
for  reducing  the  vulnerability  are  already  known.  They  contend  that  the  majority  of 
attacks  on  industrial  control  systems  will  come  through  corporate  networks,  via  the 
Internet.  While  standardized  information  technology  protection  methods  have  not 
yet  been  developed  specifically  for  industrial  control  systems,  these  analysts  contend 
that  if  general  network  benchmark  standards  were  uniformly  applied  across  corporate 
networks,  corporate  networks  vulnerability  to  intrusion  could  be  reduced  by  80- 
88%. 12  This  would  indirectly  reduce  the  industrial  control  systems  vulnerability  to 
intrusion,  as  routes  through  the  corporate  network  would  no  longer  be  available. 
These  benchmark  standards  include  disabling  unneeded  server  functionality,  patching 
known  security  flaws,  and  updating  programs  to  the  most  recent  version. 

Other  security  analysts  claim  that  in  addition  to  general  network  security, 
specific  protection  for  industrial  control  systems  must  also  be  established.  Such 
protection  might  be  addressed  by  successfully  isolating  the  control  system  network 
from  the  corporate  computer  network  or  by  implementing  stronger  security  measures 


9  Eric  Pianin  and  Bill  Miller,  “Businesses  Draw  Line  On  Security,  Firms  Resist  New  Rules 
For  Warding  Off  Terror,”  Washington  Post,  September  5,  2002. 

10  Jennifer  Alvey,  “Digital  Terrorism:  Holes  in  the  Firewall?  Plugging  Cyber  Security  Holes 
Isn’t  as  Easy  as  Everyone  Wants  to  Think,”  Public  Utilities  Fortnightly,  March  15,  2002. 

11  Testimony  by  Timothy  G.  Belcher,  Chief  Technology  Officer,  Riptech,  Inc.,  before  the 
House  Committee  on  Government  Reform,  Subcommittee  on  Government  Efficiency, 
Financial  Management  and  Intergovernmental  Relations,  July  24,  2002. 

12  Testimony  by  Alan  Paller,  Director  of  Research,  The  SANS  Institute,  before  the  House 
Committee  on  Government  Reform,  Subcommittee  on  Government  Efficiency,  Financial 
Management  and  Intergovernmental  Relations,  July  24,  2002. 
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at  known  junctions  of  the  two  networks.  Such  an  effort  might  significantly  increase 
the  difficulty  of  infiltrating  the  control  system  network  from  the  Internet.13 

In  contrast,  control  systems  may  have  vulnerabilities  unrelated  to  those 
associated  with  corporate  networks,  and  may  require  more  specific  protection, 
including  against  attacks  not  transiting  the  corporate  network.14  Protecting  corporate 
networks  from  intrusion  may  not  address  enough  of  the  vulnerable  access  routes  into 
industrial  control  systems.  Joe  Weiss,  Executive  Consultant  with  KEMA  Consulting, 
asserts  that  firewalls,  intrusion  detection,  encryption,  and  other  technology  need  to 
be  developed  specifically  for  control  systems.15 

Some  companies  have  taken  aggressive  steps  to  protect  their  industrial  control 
systems,  and  are  examples  for  how  secure  industrial  control  systems  can  be 
established. 16  While  most  security  experts  agree  that  critical  infrastructure  industries 
which  view  secure  industrial  control  systems  as  a  priority  can  reduce  vulnerabilities, 
they  assert  that  most  critical  infrastructure  industries  are  not  willing  to  voluntarily 
commit  resources,  time  and  effort  into  reducing  their  vulnerabilities.  Stuart  McClure, 
President  and  Chief  Technical  Officer  of  the  security  company  Foundstone,  claims, 
“[Industries]  have  fallen  into  the  regulation  trap.  Unless  the  government  regulates 
it,  they’re  not  yet  taking  [security]  seriously.”17 

The  Magnitude  of  the  Terrorist  Threat 

Some  critical  infrastructure  industry  representatives  are  skeptical  that  a  cyber¬ 
terror  attack  would  target  industrial  control  systems.18  Since  there  has  never  been  an 
attack  on  domestic  critical  infrastructure  industrial  control  systems  which  caused 
intentional  damage,  even  in  cases  where  hackers  have  successfully  broken  into  these 
systems,  industry  representatives  believe  the  cyber-threat  to  be  low.  Diane  Van  de 
Hei,  executive  director  of  the  Association  of  Metropolitan  Water  Agencies  and 
contact  person  for  the  water  utility  Information  Sharing  and  Analysis  Center  (ISAC), 
was  quoted  as  saying,  “If  we  had  so  many  dollars  to  spend  on  a  water  system,  most 
of  it  would  go  to  physical  security.”19 


13  Such  methods  have  been  reportedly  employed  by  DuPont  Chemical  Company.  Mathew 
Schwartz,  “Wanted:  Security  Tag  Team,”  Computerworld,  June  30,  2003. 

14  Joe  Weiss,  KEMA  Consulting,  private  e-mail  communication,  September  8,  2002. 

15  Testimony  by  Joe  Weiss,  Consultant,  KEMA  Consulting,  before  the  House  Committee 
on  Government  Reform,  Subcommittee  on  Government  Efficiency,  Financial  Management 
and  Intergovernmental  Relations,  July  24,  2002. 

16  For  example,  see  Scott  Berinato,  “The  Truth  about  Cyberterrorism,” CIO  Magazine,  Vol. 
15,  No.  11.  March  15,  2002. 

17  Robert  Vamosi,  “Cyberterrorists  Don’t  Care  About  Your  PC,”  ZDNet  Reviews,  July  10, 
2002. 

18  Bill  Wallace,  “Security  Analysts  Dismiss  Fears  of  Terrorist  Hackers,”  San  Francisco 
Chronicle,  June  30,  2002. 

19  Robert  Lemos,  “What  Are  the  Real  Risks  of  Cyberterrorism?”  ZDNet,  August  26,  2002. 
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Some  critical  infrastructure  companies  believe  that  the  potential  damage  likely 
to  be  caused  by  a  cyber-attack  on  control  systems  would  be  small  and  manageable 
through  already  existing  procedures.  Since  fluctuations  and  equipment  failure  are 
part  of  expected,  normal  business,  plans  and  procedures  for  these  naturally  occurring 
events  are  in  place.  They  assert  that  the  damage  caused  by  cyber-attack  would  be 
similar  to  that  already  routinely  seen.20 

Some  industry  representatives  also  emphasize  that  the  unfamiliar  and 
uncommon  commands  used  in  legacy  industrial  control  systems  will  continue  to 
provide  as  high  a  barrier  to  future  destructive  attempts  as  it  has  in  the  past.21  While 
utility  industry  leaders  agree  that  they  have  been  the  target  of  millions  of  cyber¬ 
security  incidents,  some  do  not  analyze  the  origin  or  method  of  attack.  Will  Evans, 
vice  president  of  IT  services  at  People’s  Energy  Corp.,  reportedly  claimed,  “[A  large 
utility]  could  have  a  million  [intrusion]  events  that  need  to  be  analyzed.  I  don’t  think 
anybody  has  the  capability  to  do  that  in-house.” 

Utility  industry  representatives  contend  that  the  vast  majority  of  such  intrusions 
are  searches  for  vulnerable  computers  in  the  corporate  network  by  inexperienced 
hackers,  and,  of  the  dangerous  minority  actually  performed  by  experienced  crackers, 
many  are  focused  on  economic  aspects  of  the  corporate  network  rather  than  the 
industrial  control  systems  network.22  From  the  perspective  of  critical  infrastructure 
industries,  discontented  employees  who  possess  inside  information  about  industrial 
control  systems  are  a  greater  security  risk  than  external  attempts  to  breach  security. 

There  is  evidence  that  al  Qaeda  is  interested  in  the  vulnerabilities  of  the  U.S. 
public  and  private  utilities.  The  discovery  in  Afghanistan  of  a  computer  containing 
structural  analysis  programs  for  dams,  combined  with  an  increase  in  Web  traffic 
relating  to  SCADA  systems,23  prompted  the  National  Infrastructure  Protection  Center 
(NIPC)  to  issue  a  warning  information  bulletin.24  An  analysis  of  cyber-attack  data 
collected  during  the  second  half  of  2001  showed  that  energy  industry  companies  are 
attacked  twice  as  often  as  other  industries,  and  that  a  large  number  of  these  attacks 
originate  from  the  Middle  East.25  Additionally,  according  to  one  expert,  these 
statistics  do  not  reflect  intrusions  directed  at  control  systems  which  lack  firewalls  or 


20  Kevin  Poulsen,  “Sparks  Over  Power  Grid  Cybersecurity,”  Business  Week  Online,  April 
16,2003. 

21  Scott  Berinato,  “Debunking  the  Threat  to  Water  Utilities,”  CIO  Magazine ,  Vol.  15,  No. 
11,  March  15,  2002. 

22  Bill  Wallace,  “Security  Analysts  Dismiss  Fears  of  Terrorist  Hackers,”  San  Francisco 
Chronicle,  June  30,  2002. 

23  Sean  Webby,  “4  Cities  Take  Data  Off  Web;  Authorities  Remove  Info  After  Hits  From 
Mideast,”  San  Jose  Mercury  News,  June  28,  2002. 

24  “Terrorist  Interest  in  Water  Supply  and  SCADA  Systems,”  National  Infrastructure 
Protection  Center,  Information  Bulletin  02-001,  January  30,  2002. 

25  Dan  Verton,  “Vulnerability  Assessment  Triggers  Alarms,”  Computerworld,  January  21, 
2002. 
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intrusion  detection  systems,  resulting  in  an  under-reporting  of  the  actual  number  of 
attacks.26 

There  have  been  examples  of  individuals  specifically  breaking  into  utility 
companies’  control  systems.  The  most  notable  event  occurred  in  Maroochy  Shire, 
Australia,  where,  in  Spring,  2000,  a  discontented  former  employee  was  able  to 
remotely  access  the  controls  of  a  sewage  plant  and  discharge  approximately  264,000 
gallons  of  untreated  sewage  into  the  local  environment.27  In  1994,  a  hacker 
successfully  broke  into  the  computer  system  of  the  Salt  River  Project  in  Arizona. 2S 
Another  example,  from  March,  1997,  occurred  when  a  teenager  in  Worcester,  MA 
was  able  to  remotely  disable  part  of  the  public  telephone  switching  network, 
disrupting  telephone  service  for  600  residents,  including  the  fire  department,  and 
causing  a  malfunction  at  the  local  regional  airport.29  Reportedly,  an  intrusion  into  the 
SCADA  systems  of  a  global  chemical  company  occurred  where  a  former  employee 
attempted  to  disable  chemical  operating  systems  at  a  production  plant.30 

Often,  it  is  difficult  to  assess  from  public  reports  to  what  degree  a  critical 
infrastructure  industry  has  been  breached.31  For  example,  a  cyber-break-in  at  the 
California  Independent  System  Operator  (Cal-ISO),  California’s  primary  electric 
power  grid  operator,  went  undetected  for  17  days  in  April,  2001.  Greg  Fishman,  a 
representative  of  Cal-ISO,  reported  the  intruders  “never  really  got  close  at  all  to  our 
operational  systems  that  run  the  grid.”32  It  is  not  clear  what  information  was 
compromised  during  the  intrusion,  who  the  perpetrators  were,  or  what  their  goal  in 
gaining  access  was.  To  date,  there  has  been  no  indication  that  the  perpetrators  of  this 
attack  were  able  to  access  any  sensitive  information  or  systems. 

Potential  Consequences  of  a  Terrorist  Attack 

The  consequences  of  an  attack  on  the  industrial  control  systems  of  critical 
infrastructure  could  vary  widely.  It  is  commonly  assumed  that  a  successful  cyber¬ 
attack  would  cause  few,  if  any,  casualties,  but  might  result  in  loss  of  infrastructure 
service  while  control  was  wrested  from  the  attacker  and  damage  repaired.  For 
example,  a  successful  cyber-attack  on  the  public  telephone  switching  network  might 
deprive  customers  of  telephone  service  while  technicians  reset  and  repaired  the 


26  Joe  Weiss,  KEMA  Consulting,  private  e-mail  communication,  September  8,  2002. 

27  A  summary  of  this  event  can  be  found  in  National  Infrastructure  Protection  Center, 
Highlights,  2-03,  June  15,  2002. 

28  Robert  Lemos,  “What  are  the  Real  Risks  of  Cyberterrorism?”  ZDNet,  August  26,  2002 
found  online  at  [http://www.msnbc.com/news/799234.asp], 

29  “Juvenile  Hacker  Charged  with  Disabling  Airport  Control  Tower  Telephones,”  Agence 
France  Press,  March  18,  1998. 

30  Esther  D’Amico,  “Cybersecurity  Gains  Momentum,”  Chemical  Week,  August  21,  2002. 

31  Ibid. 

32  Dan  Verton,  “California  Hack  Points  to  Possible  Surveillance  Threat;  Power  Grid 
Unaffected;  Perps  Unidentified,”  Computer-world,  June  18,  2001. 
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switching  network.  An  attack  on  a  chemical  or  liquid  natural  gas  facility’s  control 
systems  might  lead  to  more  widespread  physical  damage. 

Lower  probability  events  include  catastrophic  infrastructure  failure,  where  the 
failure  of  one  part  of  the  infrastructure  leads  to  the  failure  of  other  parts,  causing 
widespread  effect.  Such  failure  might  occur  due  to  the  synergistic  effect  of 
infrastructure  industries  on  each  other.  A  simple  example  might  be  an  attack  on 
electrical  utilities  where  electricity  distribution  was  disrupted;  sewage  treatment 
plants  and  waterworks  could  also  fail,  as  perhaps  the  turbines  and  other  electrical 
apparatuses  in  these  facilities  shut  down.  On  August  5,  2002,  the  faulty  closure  of 
an  emergency  valve  at  one  of  Singapore’s  two  natural  gas  suppliers  blocked  the  flow 
of  natural  gas  to  seven  electrical  power  plants.  The  resultant  power  level  dropped 
30%,  and  even  after  reserve  power  was  employed,  there  was  still  a  8%  shortfall.  The 
power  outage  lasted  up  to  90  minutes.33  Several  chemical  production  plants  were 
forced  to  shutdown  their  facilities  during  the  power  outage,  and  required  several  days 
to  restore  full  production.34 

Some  experts  warn  of  a  cascade  event,  where  a  terrorist  is  able  to  manipulate 
control  systems  and  cause  catastrophic  failure  within  an  infrastructure.  Cascade 
events  can  be  very  damaging,  causing  widespread  utility  outages.  Twice  in  1996, 
arcing  between  high  voltage  transmission  lines  and  trees  resulted  in  widespread 
power  outages.  On  July  2, 1996,  a  cascade  event  left  2  million  customers  in  11  states 
and  2  Canadian  provinces  without  power.35  Most  service  was  restored  within  30 
minutes.36  On  August  10,  1996,  a  similar  event  caused  7.5  million  customers  in 
seven  western  states  and  part  of  Canada  to  be  without  power  for  up  to  nine  hours.37 

The  scenario  which  causes  the  highest  degree  of  concern  among  experts  is  the 
combined  use  of  a  cyber-attack  on  critical  infrastructure  in  conjunction  with  a 
physical  attack.38  This  use  of  cyber-terrorism  could  result  in  an  amplification  of  the 


33  Krist  Boo  and  Tan  May  Ping,  “90-Minute  Blackout  in  Several  Areas,”  The  Straits  Times 
(Singapore),  August  6,  2002,  and  Krist  Boo,  “Computer  Glitch  Behind  Worst  Blackout  in 
Decade,”  The  Straits  Times  (Singapore),  August  15,  2002. 

34  Sam  Cage,  “Power  Failure  Downs  Three  Singapore  Crackers,”  Chemical  Week,  August 
14,  2002. 

35  Susan  Reed,  “Massive  Power  Outage  in  West  Still  Unexplained,”  CNN,  July  3,  1996  and 
Bonneville  Power  Administration,  “Tree  Triggers  Power  Outage,”  Journal,  August,  1996, 
found  online  at  [http://www.bpa.gov/corporate/kc/home/journal/96jl/jl0896x.shtml]. 

36  “Parts  of  Idaho  Darkened  by  Power  Outage,  Earlier  Western  Blackout  Traced  to  Short 
Circuit,”  CNN,  July  3,  1996. 

37  John  F.  Hauer  and  Jeff  E.  Dagle,  “Consortium  for  Electric  Reliability  Technology 
Solutions  Grid  of  the  Future,  White  Paper  on  Review  of  Recent  Reliability  Issues  and 
System  Events,”  prepared  for  Transmission  Reliability  Program,  Office  of  Power 
Technologies,  Assistant  Secretary  for  Energy  Efficiency  and  Renewable  Energy,  U.S. 
Department  of  Energy,  August  30,  1999. 

38  For  an  overview  of  this  type  of  scenario,  see  National  Research  Council,  Making  the 
Nation  Safer:  The  Role  of  Science  and  Technology  in  Countering  Terrorism,  National 
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physical  attack’ s  effects.  An  example  of  this  might  be  a  conventional  bombing  attack 
on  a  building  combined  with  a  temporary  denial  of  electrical  or  telephone  service. 
The  resulting  degradation  of  emergency  response,  until  back-up  electrical  or 
communication  systems  can  be  brought  into  place  and  used,  could  increase  the 
number  of  casualties  and  public  panic. 

Others  believe  that  the  consequences  of  a  cyber-attack  on  critical  infrastructure 
would  be  very  limited,  and  that  excessive  focus  has  been  given  to  an  unsubstantiated 
threat.39  Cyber- security  experts  who  doubt  the  effectiveness  of  such  an  attack  range 
in  opinion  regarding  an  attack’s  impact.  Some  believe  that  a  cyber- attack  on  critical 
infrastructure  control  systems,  while  having  some  effect,  would  not  be  devastating, 
but  rather  only  a  minor  threat.40  Other  believe  that  there  could  be  significant  impacts 
from  a  successful  attack  on  control  systems,  but  that  such  success  would  be  very 
unlikely.41  Finally,  some  believe  that  while  it  is  possible  to  use  computers  to  generate 
high  consequence  attacks,  it  would  be  much  more  likely  that  a  terrorist  group  would 
resort  to  a  simpler  conventional  attack  which  would  yield  results  of  a  similar 
magnitude.42 


Current  Initiatives 

Department  of  Homeland  Security 

The  creation  of  the  Department  of  Homeland  Security  has  centralized  within  the 
Directorate  of  Information  Analysis  &  Infrastructure  Protection  a  number  of  offices 
related  to  critical  infrastructure  control  system  security:  the  Critical  Infrastructure 
Assurance  Office  (CIAO),  the  National  Infrastructure  Protection  Center,  the  National 
Infrastructure  Simulation  and  Analysis  Center  (NISAC),  and  part  of  the  Department 
of  Energy’s  Office  of  Energy  Assurance.43 

CIAO  and  NIPC  were  created  in  response  to  Presidential  Decision  Directive  No. 
63,  issued  in  1998.44  CIAO  coordinates  the  federal  government’s  initiatives  on 


38  (...continued) 

Academy  Press,  Washington,  DC,  2002. 

39  Joshua  Green,  “The  Myth  of  Cyberterrorism,”  The  Washington  Monthly,  November,  2002. 

40  Steve  Alexander,  “Some  Experts  Say  Cyberterrorism  Is  Very  Unlikely,”  Star  Tribune, 
February  13,  2003. 

41  Mark  Harrington,  “In  Cyber-Attack,  The  System  Bends,  Doesn’t  Break,”  Newsday, 
February  1 1 ,  2003 

42  Bill  Wallace,  “Security  Analysts  Dismiss  Fears  of  Terrorist  Hackers,”  San  Francisco 
Chronicle,  June  30,  2002.  See  also  Bruce  Schneier,  “Embedded  Control  Systems  and 
Security,”  Crypto-Gram  Newsletter,  July  15,  2002. 

43  Homeland  Security  Act  of  2002,  P.F.  107-296. 

44  Presidential  Decision  Directive  No.  63  set  as  a  national  goal  the  ability  to  protect  the 
nation’ s  critical  infrastructure  from  intentional  attacks.  For  more  information  regarding  this 
directive  and  other  critical  infrastructure  policy,  see  CRS  Report  RF30153,  Critical 
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critical  infrastructure  assurance  and  promotes  national  outreach  and  awareness 
campaigns  about  critical  infrastructure  protection.  NIPC  is  a  national  critical 
infrastructure  threat  assessment,  warning,  vulnerability,  and  law  enforcement 
investigation  and  response  agency.  Among  other  programs,  NIPC  has  developed  the 
InfraGard  program,  which  serves  as  a  clearinghouse  for  information  sharing  and 
analysis  for  members  of  critical  infrastructure  industries. 

NISAC  was  created  in  2001  through  the  passage  of  the  USA  PATRIOT  Act. 
It  is  charged  to  “serve  as  a  source  of  national  competence  to  address  critical 
infrastructure  protection  and  continuity  through  support  for  activities  related  to 
counterterrorism,  threat  assessment,  and  risk  mitigation.”45  This  center  is  to  provide 
modeling  and  simulation  capabilities  for  the  analysis  of  critical  infrastructures, 
including  electricity,  oil,  and  gas  sectors.46  It  is  located  at  Sandia  National 
Laboratories  and  Los  Alamos  National  Laboratory.47 

The  Department  of  Energy’ s  Office  of  Energy  Assurance  has  also  been  involved 
in  developing  techniques  to  secure  energy  production  and  availability.48  Part  of  this 
effort  has  been  the  development  of  “simple,  common-sense  approaches  to  improve 
the  overall  level  of  protection  in  SCADA  and  digital  control  networks.”49  A 
document  describing  a  general  approach  to  improving  cyber- security  in  SCADA 
systems  has  been  released.50 

The  President’s  Critical  Infrastructure  Protection  Board  has  released  The 
National  Strategy  to  Secure  Cyberspace,  in  which  a  general  strategic  overview, 
specific  recommendations  and  policies,  and  the  rationale  for  these  actions  are 
presented.51  This  document  addresses  concerns  regarding  digital  control  systems  and 
SCADA  networks,  rates  SCADA  network  security  as  a  national  priority,  and 
recommends  joint  public/private  efforts  in  discovering  solutions  to  potential 
vulnerabilities.  This  strategy  identifies  the  Department  of  Homeland  Security,  in 
coordination  with  other  federal  agencies,  as  the  department  responsible  for 
developing  best  practices  and  new  technologies  to  increase  SCADA  security.  Some 
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Infrastructures:  Background,  Policy,  and  Implementation  by  John  D.  Moteff. 

45  USA  PATRIOT  Act,  P.L.  107-56,  Section  1016. 

46  Jennifer  Jones,  “Models  of  Mayhem,”  Federal  Computer  Week,  September  30,  2002. 

47  For  more  information  on  NISAC,  see  [http://www.sandia.gov/CIS/NISAC.htm], 

48  The  Department  of  Energy’s  Office  of  Energy  Assurance  can  be  found  online  at 
[http://oea.dis.anl.gov/oea_home.html]. 

49  Remarks  of  James  F.  McDonnell,  Director  of  the  Office  of  Energy  Assurance,  September 
19,  2002,  found  online  at  [http://oea.dis.anl.gov/documents/mcdonnell_remarks.html]. 

50  “2 1  Steps  to  Improve  Cyber  Security  of  SCADA  Networks,”  Department  of  Energy,  2002. 

51  The  National  Strategy  to  Secure  Cyberspace  is  available  for  download  at  the  President’s 
Critical  Infrastructure  Protection  Board  website,  found  online  at 
[http://www.whitehouse.gov/pcipb/]. 
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cyber- security  experts  have  criticized  this  plan,  claiming  that  vulnerabilities  will 
remain  because  of  its  lack  of  enforcement  regulations.52 

The  Department  of  Homeland  Security  has  created  a  National  Cyber  Security 
Division  to  identify,  analyze  and  reduce  cyber-threats  and  vulnerabilities;  disseminate 
threat  warning  information;  coordinate  incident  response;  and  provide  technical 
assistance  in  continuity  of  operations  and  recovery  planning.53  This  division  will, 
based  on  the  needs  of  public  and  private  sectors  partners,  implement  programs  for 
research  and  development  in  cyber- security  using  expertise  from  the  Science  and 
Technology  Directorate  to  provide  research  and  development  functions  and 
execution. 

Department  of  Energy  Laboratories 

The  Department  of  Energy  laboratories  have  developed  a  series  of  test  bed 
facilities  to  test  security  measures  developed  for  critical  infrastructure.  The  Idaho 
National  Engineering  and  Environmental  Laboratory,  in  conjunction  with  Sandia 
National  Laboratory,  are  developing  a  SCADA  test  bed  to  help  identify 
vulnerabilities  and  improve  the  security  and  stability  of  SCADA  systems.54  The 
Pacific  Northwest  National  Laboratory  has  developed  a  Critical  Infrastructure 
Protection  Analysis  Laboratory  where,  among  other  things,  the  vulnerability  of 
SCADA  systems  can  be  determined.55 

Research  into  advanced  technologies  is  currently  underway  at  Department  of 
Energy  laboratories  to  address  process  control  system  security.  Lor  example,  Sandia 
National  Laboratory  under  the  Laboratory  Directed  Research  and  Development 
program  has  been  developing  secure  control  systems  for  the  energy  industry.56 
Research  includes  new  information  architectures,  cryptographic  methods,  and 
information  system  security  assessments.  Much  of  this  work  arises  from  needs 
discovered  through  partnerships  with  systems  manufacturers.  While  a  prototype 
system  to  demonstrate  proof  of  principle  has  been  implemented  at  the  Sandia 
National  Solar  Thermal  Test  Lacility,  this  system  has  not  been  widely  implemented 
in  the  field.57  Similar  security  efforts,  though  less  directly  focused  on  industrial 


52  Robert  Lemos,  "Bush  Unveils  Final  Cybersecurity  Plan,”  CNET News,  February  14, 2003. 

53  Office  of  the  Press  Secretary,  Department  of  Homeland  Security,  “Ridge  Creates  New 
Division  to  Combat  Cyber  Threats,”  June  6,  2003. 

54  For  more  information  about  the  Idaho  National  Engineering  and  Environmental 
Laboratory’s  Critical  Infrastructure  Protection  Program,  see  online  at 
[http://www.inel.gov/nationalsecurity/critical_infrastructure_protection_program/]. 

55  Securing  Out  Homeland,  Pacific  Northwest  National  Laboratory,  available  online  at 
[http://www.pnl.gov/main/sectors/homeland.html]. 

56  Rolf  Carlson,  “Sandia  SCADA  Program  High-Security  SCADA  LDRD  Final  Report,” 
Sandia  Report  SAND2002-0729,  Sandia  National  Laboratories,  April,  2002. 

57  Sandia  National  Laboratories,  “Dish/Sterling  Provides  Test  for  Secure  Control  System,” 
Sandia  Technology,  Vol.  3,  No.  1,  Spring,  2001. 
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control  systems,  are  being  developed  at  both  Lawrence  Livermore  National 
Laboratory  and  Los  Alamos  National  Laboratory. 

National  Institute  of  Standards  and  Technology 

The  National  Institute  of  Standards  and  Technology  (NIST)  has  initiatives  in 
industrial  control  system  security.  NIST,  in  conjunction  with  a  number  of  industry 
groups,  federal  government  agencies,  and  professional  societies,  have  created  the 
Process  Control  Security  Requirements  Forum  to  develop  process  control 
information  security  requirements.  Through  their  Critical  Infrastructure  Protection 
program,  the  National  Institute  of  Standards  and  Technology  is  developing 
information  security  requirements,  best-practice  guidelines,  and  test  methods  for  the 
process  control  sector.58 

Department  of  Defense 

The  Department  of  Defense,  through  the  Combating  Terrorism  Technology 
Support  program,  provides  support  for  the  protection  of  infrastructure  elements.  As 
part  of  this  program,  encryption  algorithms  for  SCADA  systems  are  being  developed 
and  tested  with  the  end  goal  of  providing  recommendations  to  industry  regarding 
their  use.59 

Information  Sharing  and  Analysis  Centers 

Critical  infrastructure  industries  have  also  developed  non-profit  organizations 
called  Information  Sharing  and  Analysis  Centers  (ISACs)  to  allow  industry  sector 
members  to  share  security  information  in  a  private  forum.  Information  sharing, 
especially  regarding  the  magnitude  and  nature  of  observed  cyber-attacks, 
vulnerabilities  and  their  solutions,  is  seen  as  an  important  step  in  preparing  for  and 
protecting  against  cyber-terror. 

There  has  been  limited  public/private  cooperation  on  divulging  information 
about  and  technical  solutions  to  discovered  vulnerabilities.  Because  of  perceived 
limitations  in  Freedom  of  Information  Act  (FOIA)  exemptions,  industry 
representatives  have  generally  limited  the  quantity  and  quality  of  information 
volunteered  to  the  government.  Also,  the  ISAC  system  has  not  risen  to  its  full 
potential  in  all  critical  infrastructure  areas,  due  to  fears  over  disclosure  of  sensitive 
corporate  information  to  competitors.  In  testimony  before  the  House  Committee  on 
Energy  and  Commerce,  Subcommittee  on  Oversight  and  Investigations,  Bill  Smith, 
Chief  Technology  Officer  of  the  BellSouth  Corporation  stated, 

With  respect  to  FOIA,  many  companies  are  hesitant  to  voluntarily  share  sensitive 

information  with  the  government  because  of  the  possible  release  of  this 

information  to  the  public.  BellSouth  currently  shares  cyber-related  intrusion 


58  For  more  information  on  the  Critical  Infrastructure  Protection  program  and  the  Process 
Control  Security  Requirements  Forum,  see  [http://www.mel.nist.gov/proj/cip.htm]. 

59  Office  of  the  Secretary  of  Defense,  Department  of  Defense,  OUSDC  Budget  Justification 
Materials,  FY  2004  Budget ,  PE  0603122D8Z,  February  2003. 
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information  with  the  Telecom  Information  Sharing  and  Analysis  Center-the 
Telecom  ISAC-located  within  the  NCC.  However,  because  of  the  concerns  just 
noted,  the  information  sharing  is  done  on  a  limited  basis,  within  trusted  circles, 
and  strictly  within  a  fashion  that  will  eliminate  any  liability  or  harm  from  FOIA 
requests  for  BellSouth  information.  This  is  neither  maximally  efficient  nor 
effective.60 

Partially  in  an  effort  to  address  these  concerns,  the  Homeland  Security  Act  of 
2002  created  a  new  FOIA  exemption  for  critical  infrastructure  information: 

Notwithstanding  any  other  provision  of  law,  critical  infrastructure  information 
(including  the  identity  of  the  submitting  person  or  entity)  that  is  voluntarily 
submitted  to  a  covered  Federal  agency  for  use  by  that  agency  regarding  the 
security  of  critical  infrastructure  and  protected  systems,  analysis,  warning, 
interdependency  study,  recovery,  reconstitution,  or  other  informational  purpose, 
when  accompanied  by  an  express  statement ...  shall  be  exempt  from  disclosure 
under  section  552  of  title  5,  United  States  Code  (commonly  referred  to  as  the 
Freedom  of  Information  Act).61 

The  breadth  of  this  exemption  has  caused  concern  that  information  showing 
safety  violations  or  consumer  hazards  could  be  hidden  through  such  an  exemption.62 
At  the  confirmation  hearing  of  Homeland  Security  Secretary  Ridge,  Senator  Levin 
noted  that  the  exemption  language  should  be  clarified: 

The  Freedom  of  Information  Act  language  has  got  to  be  clarified.  We  are 
denying  the  public  unclassified  information  in  the  current  law  which  should  not 
be  denied  to  the  public.  ...  [Y]ou  could  get  information  that,  for  instance,  a 
company  is  leaking  material  into  a  river  that  you  could  not  turn  over  to  the  EPA. 

If  that  company  was  the  source  of  the  information,  you  could  not  even  turn  it 
over  to  another  agency.  It  means  that  a  member  of  Congress  that  finds  out  about 
that  information  through  oversight  cannot  act  on  that  information,  even  though 
its  unclassified  information.  We  would  be  stymied  from  acting  on  it,  making  it 
public,  for  instance,  or  doing  anything  else  in  relation  to  information  which 
comes  to  us  or  comes  to  you  as  a  result  of  a  voluntary  submission.63 

The  Department  of  Homeland  Security  has  published  the  proposed  rule  for 
handling  critical  infrastructure  information.64  The  comment  period  on  this  rule 
closed  on  June  1 6, 2003 .  For  more  information  on  critical  infrastructure  information, 
see  CRS  Report  RL31547,  Critical  Infrastructure  Information  Disclosure  and 
Homeland  Security ,  by  John  D.  Moteff  and  Gina  Marie  Stevens. 


60  Testimony  of  Bill  Smith,  Chief  Technology  Officer  of  the  BellSouth  Corporation  before 
the  House  Committee  on  Energy  and  Commerce,  Subcommittee  on  Oversight  and 
Investigations,  July  9,  2002. 

61  Homeland  Security  Act  of  2002,  P.L.  107-296. 

62  Lauren  Weinstein,  “Taking  Liberties  With  Our  Freedom,”  Wired  News,  December  2,2002. 

63  Hearing  on  the  Nomination  of  Tom  Ridge  to  be  Director  of  Homeland  Security,  Senate 
Committee  on  Government  Affairs,  January  17,  2003. 

64  Federal  Register,  Volume  68,  Number  72,  April  15,  2003,  pp.  18523-18529. 
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Federal  Energy  Regulatory  Commission 

The  Federal  Energy  Regulatory  Commission  (FERC)  is  an  independent 
regulatory  agency  within  the  Department  of  Energy  that,  among  other  duties, 
regulates  interstate  commerce  in  oil,  natural  gas,  and  electricity.  FERC  has  published 
a  final  rule  related  to  critical  energy  infrastructure  information.  In  this  rule,  critical 
energy  infrastructure  information  (CEII)  is  defined  as: 

information  about  proposed  or  existing  critical  infrastructure  that:  (i)  Relates  to 
the  production,  generation,  transportation,  transmission,  or  distribution  of 
energy;  (ii)  Could  be  useful  to  a  person  in  planning  an  attack  on  critical 
infrastructure;  (iii)  Is  exempt  from  mandatory  disclosure  under  the  Freedom  of 
Information  Act,  5  U.S.C.  552;  and  (iv)  Does  not  simply  give  the  location  of  the 
critical  infrastructure.65 

Whether  or  not  information  falls  under  the  CEII  categorization  is  initially  determined 
by  the  companies  submitting  the  information  to  FERC.  Categorization  of  select 
information  as  CEII  may  lead  to  greater  information  sharing  between  industry  and  the 
federal  government. 

FERC  has  also  published  a  notice  of  public  rulemaking  which  includes  cyber¬ 
security  for  the  electric  industry.66  This  proposed  regulation  would  require  the 
electric  industry  to  self-certify  that  they  are  meeting  the  cyber-security  standards.  It 
has  been  reported  the  FERC  will  likely  adopt  standards  issued  by  the  North  American 
Electric  Reliability  Council  in  the  final  version  of  this  regulation.67  The  final  version 
of  this  regulation  has  not  been  issued.68 

Industry  Initiatives 

Some  industry  groups  have  taken  steps  towards  addressing  control  system 
security,  generally  as  part  of  an  overall  cyber- security  initiative.69  Some  groups  have 


65  Federal  Register,  Volume  68,  Number  41,  March  3,  2003,  pp.  9857-9873. 

66  Federal  Register,  Volume  67,  Number  168,  August  29,  2002,  pp.  55451-55550. 

67  “FERC  Likely  to  Adopt  Electric  Industry’s  Cyber  Security  Standards,”  Electric  Power 
Alert,  Vol.  13,  No.  14,  July  9,  2003,  and  Rick  Nicholson  and  Terry  Ray,  “How  Tight  Is  Your 
Padlock?”  Platts  Energy  Business  &  Technology,  May  2003. 

68  Due  to  controversies  surrounding  other  provisions  of  this  proposed  regulation,  questions 
have  arisen  regarding  when,  or  if,  this  proposed  regulation  will  be  promulgated.  For  more 
general  information  on  this  proposed  regulation,  see  CRS  Report  RS2 1407,  Federal  Energy 
Regulatory  Commission  ’s  Standard  Market  Design  Activities  by  Amy  Abel. 

69  For  example,  the  chemical  sector  has  begun  a  Cybersecurity  Practices,  Standards  and 
Technology  Initiative,  which  will  develop  practices  and  standards  and  encourage 
development  of  improved  security  technology.  For  more  information,  see  online  at 
[http://www.cidx.org/default_CyberSec.  asp?Level=2&SecondLevelURLl=/Security/Sec 
urity.asp]. 
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launched  initiatives  in  developing  infrastructure  security  programs.70  The  North 
American  Electric  Reliability  Council  has  developed  a  set  of  minimum  cyber- security 
standard  for  the  electricity  industry,  as  well  as  guidelines  for  securing  remote  access 
to  critical  electric  infrastructure.71  The  Partnership  for  Critical  Infrastructure  Security 
has  established  a  working  group  to  improve  understanding  of  security  issues  relating 
to  process  control  systems.72  Another  approach  developed  by  industry  groups  has 
centered  on  developing  cryptographic  protection  of  SCADA  communications.73 

Policy  Options 

Several  policy  options  may  decrease  the  vulnerability  of  industrial  control 
systems.  One  option  is  for  the  federal  government  to  mandate  and  enforce  a  uniform 
security  standard  for  industrial  control  systems.  Because  of  the  national  importance 
of  critical  infrastructure  systems,  a  uniform  standard  might  be  developed,  with  the 
input  of  advocates,  industries  and  the  federal  government,  which  would  include  the 
functionality  necessary  to  protect  industrial  control  systems.  A  voluntary,  standards- 
based  approach  has  been  developed  for  server  operating  systems  with  some  success, 
and  a  similar  mechanism  could  be  used  to  develop  standards  for  commercial  off-the- 
shelf  control  systems.74  Alternately,  processes  and  specifications  currently  being 
developed  through  federal  programs  might  be  generalized  to  other  critical 
infrastructure  industries  and  established  as  a  voluntary  standard.  Critics  of  this 
approach  cite  the  many  different  uses  of  industrial  control  systems  in  different 
industry  sectors  as  making  such  a  standard  unwieldy.  They  also  contend  that  a 
mandated  standard  would  be  less  effective  than  a  voluntary  standard,  as  solutions  to 
new  problems  could  not  be  implemented  immediately,  but  would  wait  for  changes 
to  the  standard. 

Identifying  the  dependencies  between  critical  infrastructure  sectors,  the 
vulnerabilities  that  are  present  in  information  technologies  in  these  sectors,  and  the 
possible  impacts  of  a  control  system  attack  may  lead  to  a  greater  understanding  of  the 
scale  of  the  control  system  threat.  Both  the  Department  of  Homeland  Security,  in  its 
role  of  protecting  infrastructure,  and  the  Department  of  Energy,  in  its  role  of  ensuring 
a  robust  and  reliable  energy  infrastructure,  perform  such  activities.  Policymakers 
may  wish  to  enhance  current  funding  into  SCADA  security  research,  test  bed 


70  The  Electric  Power  Research  Institute,  for  example,  has  developed  a  series  of  primers 
addressing  information  security  within  the  energy  and  power  industry.  For  more 
information  about  the  Electric  Power  Research  Institute,  see  [http://www.epri.com], 

71  Information  on  the  North  American  Electric  Reliability  Council’s  efforts  in  critical 
infrastructure  protection  can  be  found  online  at  [http://www.nerc.com/cip.html]. 

72  For  more  information  about  the  Partnership  for  Critical  Infrastructure  Security  working 
groups,  see  online  at  [http://www.pcis.org/library.cfm?urlSection=WG]. 

73  See,  for  example,  American  Gas  Association,  “Cryptographic  Protection  of  SCADA 
Communications,”  AGA  Report  12-1,  April  2003. 

74  The  Center  for  Internet  Security,  a  not-for-profit  organization,  develops  consensus 
security  standards  for  computer  systems.  They  can  be  found  online  at 
[http  ://www.  cisecurity .  org/] . 
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modeling,  or  critical  infrastructure  vulnerability  assessment  to  further  clarify  the 
current  threat. 

Another  option  would  involve  supporting  encryption  research  to  protect 
industrial  control  system  data  transfer.  Encrypting  the  information  transmitted 
between  remote  units  and  their  controllers  would  inhibit  inclusion  of  false 
information  to  and  from  industrial  control  systems.  Current  encryption  technology 
may  not  compatible  due  to  the  time  required  to  process  the  encrypted  data  and  the 
level  of  technology  built  into  control  system  components.  Industrial  control  systems 
have  stringent  timing  requirements  and  tend  to  be  built  out  of  less  computationally 
robust  components,  which  complicate  the  use  of  current  encryption  technologies.75 
While  a  prototype  encryption  method  for  industrial  control  systems  has  been 
developed,  it  is  still  in  the  validation  process76  and  being  implemented  in  industry.77 
Further  research  into  encryption  techniques  for  these  processes  could  provide 
efficient,  market-driven  technology  for  securing  industrial  control  systems 
information. 

The  new  FOIA  exemptions  created  in  the  Homeland  Security  Act  of  2002  may 
provide  a  higher  volume,  freer  exchange  of  information  between  the  federal 
government  and  industry,  as  industry  may  become  more  forthcoming  about  potential 
vulnerabilities.  Policymakers  may  wish  to  inquire  into  whether  vulnerabilities 
transmitted  to  the  federal  government  are  eventually  reduced,  and  how  the 
information  being  provided  to  the  federal  government  is  used. 

Policymakers  may  also  wish  to  assess  the  effectiveness  of  the  Department  of 
Homeland  Security  in  coordinating  security  enhancements  to  control  systems, 
promoting  govemment/industry  partnerships,  and  performing  risk  and  vulnerability 
assessments.  With  the  concentration  of  previously  existing  agencies  into  the 
Directorate  of  Information  Analysis  and  Infrastructure  Protection,  previous 
duplication  of  effort  may  be  removed,  but  critics  have  suggested  that  difficulties  in 
integrating  these  agencies  may  lead  to  a  reduction  in  effectiveness. 


75  See,  for  example,  Alan  S.  Brown,  “SCADA  vs.  the  Hackers,”  Mechanical  Engineering, 
December,  2002. 

76  William  F.  Rush  and  John  A.  Kinast,  “Here’s  What  You  Need  To  Know  To  Protect 
SCADA  Systems  From  Cyber-Attack,”  Pipeline  &  Gas  Journal,  February  2003. 

77  Jennifer  Alvey,  “Digital  Terrorism:  Holes  in  the  Firewall?  Plugging  Cyber  Security  Holes 
Isn’t  as  Easy  as  Everyone  Wants  to  Think,”  Public  Utilities  Fortnightly,  March  15,  2002. 


